Show Posts
1
Zenarmor (Sensei) / Application Policies - details
« on: May 22, 2022, 06:51:40 am »
I am new to Opnsense / Zenarmor and really enjoying it; this is a great community.
Some things that baffle me..
- Is more detail available for Application Policies? Especially when its not exactly clear what is being blocked; specifically....
I also observed that the block for 'Proxy - iCloud Private Relay' doesn't work unless you also disable 'Media Streaming - Quic UDP Connection'.
'Proxy - iCloud Private Relay' appears to block mask-h2.icloud.com but not mask.icloud.com? (I know the firewall is not an ideal block for these, I should be issuing NXDOMAIN with Unbound but given I have a steep learning curve with the CLI and not really wanting to break my config files I make do blocking via the firewall and manually turn off Private Relay in my existing devices (the firewall method still causes a long client delay before ICPR gives up which his frustrating).
I am also forced to block Quic; without doing so the value of the firewall is diminished something I discovered on this journey. It appears Google, Facebook, Instagram, Apple - nearly everything uses it nowadays.
Will firewalls ever be able to inspect Quic in the future?
Thanks for you time reading this.
Some things that baffle me..
- Is more detail available for Application Policies? Especially when its not exactly clear what is being blocked; specifically....
- Software Updates - Apple Pipeline
- Software Updates - Apple Telemetry
- Network Management - iPhone SecurityD
I also observed that the block for 'Proxy - iCloud Private Relay' doesn't work unless you also disable 'Media Streaming - Quic UDP Connection'.
'Proxy - iCloud Private Relay' appears to block mask-h2.icloud.com but not mask.icloud.com? (I know the firewall is not an ideal block for these, I should be issuing NXDOMAIN with Unbound but given I have a steep learning curve with the CLI and not really wanting to break my config files I make do blocking via the firewall and manually turn off Private Relay in my existing devices (the firewall method still causes a long client delay before ICPR gives up which his frustrating).
I am also forced to block Quic; without doing so the value of the firewall is diminished something I discovered on this journey. It appears Google, Facebook, Instagram, Apple - nearly everything uses it nowadays.
Will firewalls ever be able to inspect Quic in the future?
Thanks for you time reading this.